Mandiant APT1 malware spreading around infecting thousands of computers

 

Symantec and few others reported about the multiple versions of APT – 1 infecting thousands of computers worldwide. The hackers are using multiple versions of Apt 1 tricking the users download the pdf.

As per Mandiant blog report.

As we noted yesterday, Brandon Dixon’s 9B+ blog and Symantec reported the discovery of two malicious versions of our APT1 report.  We wanted to provide follow-on details based on our analysis of these samples.  Additionally, we have attached Indicators of Compromise (IOCs) so folks can begin using them to detect the malware.

PDF1 – “Mandiant_APT2_Report” Lure

MD5: 14A6E24977FF6E7E8A8661AADFA1A1F3

This is a password protected PDF using the password “hello” and exploits the CVE-2011-2462 vulnerability from back in December of 2011. Once opened it drops %TEMP%\AdobeArm.tmp (4D9A1144E08E7FAE7D6DB8BC606F5BE5) and %TEMP%\Mandiant_APT2_Report.pdf (29E9494E2EBA1D8F8AD9EE308FFE53EF). The newly dropped report is opened and the AdobeArm.tmp binary is executed.

– See more at: https://www.mandiant.com/blog/threat-actors-mandiant-apt1-report-spear-phishing-lure-nitty-gritty/#sthash.Ds1gumcA.dpuf

Screenshot from Symantec

image_1

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *